The CISM Domains – An Overview

April 14, 2011 by Kenneth Magee

ISACA’s 2011 CISM fits into DoD 8570.01-M as satisfying IAM Level II

The exam consists of 5 domains as follows:

Domain 1: Information Security Governance (23% of the exam or 46 questions)

Domain 2: Information Risk Management (22% of the exam or 44 questions)

Domain 3: Information Security Program Development (17% of the exam or 34 questions)

Domain 4: Information Security Program Management (24% of the exam or 48 questions)

Domain 5: Incident Management and Response (14% of the exam or 28 questions)

The exam consists of 200 multiple-choice questions that cover the five CISM job practice areas and is administered over a four-hour period.  A scaled score of 450 or higher is required to pass the exam.  Approximately eight weeks after the exam date, the official exam results are mailed to candidates.  The final June certification exam registration deadline has been extended to April 15, 2011 so you have a couple of days left to sign-up

It’s important as an information security manager to understand the areas, not just to pass the exam, but to provide value to the Information Security Management process.


Posted: April 14, 2011
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

3 responses to “The CISM Domains – An Overview”

  1. Emric Delton says:

    Outstanding! I have been struggling to find guidance and recommendations on study material for the CISM. All I have found up to this point is a lot of boot camps and they certainly have their place, but I am not planning on passing the exam for the sake of saying I passed it. I intend on becoming a well rounded ITSec Management professional and understand the discipline in depth. this is very much appreciated.

    • Kenneth Magee says:


      You will find that the CISM domains are gearing towards making a security manager more successful in his/her job and thereby contributing “value” to the organization. I’ve taking an approach to each article which highlights the aspects of that section of information security.


  2. Deborah says:

    Is there a huge difference between the 2011 CISM exam and the 2012 CISM exam?

Leave a Reply

Your email address will not be published. Required fields are marked *